背景
2015年5月 HTTP/2 標(biāo)準(zhǔn)協(xié)議正式發(fā)布后,已得到絕大部分的瀏覽器的支持,但截止發(fā)文時使用的網(wǎng)站占比還不到1/3。
本文目的是為了快速搭建一個本地HTTP/2
服務(wù),以供研發(fā)小伙伴開發(fā)測試,從而加深對HTTP/2
的理解。
環(huán)境
-
OpenSSL
:1.0.2q
-
Nginx
:1.15.7
步驟
- 生成本地根證書:
# 使用AES256-bit編碼加密生成4096位的根秘鑰
openssl genrsa -aes256 -out rootCA.key 4096
Enter pass phrase for rootCA.key: password
Verifying - Enter pass phrase for rootCA.key: password
各參數(shù)可以查看man ca
或者 查閱這里。
# 使用根秘鑰生成根證書
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Enter pass phrase for rootCA.key: password
You are about to be asked to enter information that will be incorporated
...
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Lovecoding.org
Organizational Unit Name (eg, section) []:Lovecoding CA
Common Name (e.g. server FQDN or YOUR name) []:Lovecoding ROOT CA
Email Address []:
Generating a RSA private key
- 生成本地自簽證書
#生成自簽秘鑰
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf
#生成自簽證書
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 600 -sha256 -extfile v3.ext
其中server.csr.cnf
:
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = CN
ST = Beijing
L = Beijing
O = MyOrganization
OU = MyOrganizationUnit
emailAddress = lovecoding@example.com
CN = localhost
v3.ext
:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
DNS.1=localhost
- 配置nginx
將server.crt
和server.key
添加到nginx:
server {
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:1m;
server_name localhost;
...
重啟nginx:
sudo nginx -t
sudo nginx -s reload
- 信任自簽證書
首次打開網(wǎng)頁時,會提示證書無效,那么將自簽的證書加入信任列表即可:
- Mac OS:
sudo security add-trusted-cert -d -r trustAsRoot -k /Library/Keychains/System.keychain server.crt
- Ubuntu:
sudo cp server.crt /usr/local/share/ca-certificates/server.crt
sudo update-ca-certificates
其他系統(tǒng)可以查閱這里。
此時打開瀏覽器可以看到:
效果截圖
說明自簽證書已有效,并支持HTTP/2
服務(wù)。
總結(jié)
本文介紹了本地快速搭建HTTP/2
服務(wù),希望對研發(fā)伙伴有所幫助。目前所有代碼都已放到local-http2,喜歡的同學(xué)可以Star
:)。
還有HTTP/3草案已出,感興趣的可以了解一下。